The following issues were found
samples/vfio-mdev/mdpy.c
9 issues
Line: 658
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
const struct mdpy_type *type =
&mdpy_types[mtype_get_type_group_id(mtype)];
return sprintf(buf, "%s\n", type->name);
}
static MDEV_TYPE_ATTR_RO(name);
static ssize_t description_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 684
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t device_api_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", VFIO_DEVICE_API_PCI_STRING);
}
static MDEV_TYPE_ATTR_RO(device_api);
static struct attribute *mdev_types_attrs[] = {
&mdev_type_attr_name.attr,
Reported by FlawFinder.
Line: 178
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_write)
handle_pci_cfg_write(mdev_state, pos, buf, count);
else
memcpy(buf, (mdev_state->vconfig + pos), count);
} else if ((pos >= MDPY_MEMORY_BAR_OFFSET) &&
(pos + count <=
MDPY_MEMORY_BAR_OFFSET + mdev_state->memsize)) {
pos -= MDPY_MEMORY_BAR_OFFSET;
Reported by FlawFinder.
Line: 185
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MDPY_MEMORY_BAR_OFFSET + mdev_state->memsize)) {
pos -= MDPY_MEMORY_BAR_OFFSET;
if (is_write)
memcpy(mdev_state->memblk, buf, count);
else
memcpy(buf, mdev_state->memblk, count);
} else {
dev_info(mdev_state->vdev.dev,
Reported by FlawFinder.
Line: 187
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_write)
memcpy(mdev_state->memblk, buf, count);
else
memcpy(buf, mdev_state->memblk, count);
} else {
dev_info(mdev_state->vdev.dev,
"%s: %s @0x%llx (unhandled)\n", __func__,
is_write ? "WR" : "RD", pos);
Reported by FlawFinder.
Line: 525
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(&mdev_state->dev_info, &info, sizeof(info));
if (copy_to_user((void __user *)arg, &info, minsz))
return -EFAULT;
return 0;
Reported by FlawFinder.
Line: 631
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct mdev_state *mdev_state = dev_get_drvdata(dev);
return sprintf(buf, "%dx%d\n",
mdev_state->type->width,
mdev_state->type->height);
}
static DEVICE_ATTR_RO(resolution);
Reported by FlawFinder.
Line: 668
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
const struct mdpy_type *type =
&mdpy_types[mtype_get_type_group_id(mtype)];
return sprintf(buf, "virtual display, %dx%d framebuffer\n",
type->width, type->height);
}
static MDEV_TYPE_ATTR_RO(description);
static ssize_t available_instances_show(struct mdev_type *mtype,
Reported by FlawFinder.
Line: 677
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mdev_type_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", max_devices - mdpy_count);
}
static MDEV_TYPE_ATTR_RO(available_instances);
static ssize_t device_api_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
Reported by FlawFinder.
samples/bpf/xdp_tx_iptunnel_user.c
9 issues
Line: 178
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
if (optstr[i] != 'h' && 'a' <= optstr[i] && optstr[i] <= 'z')
opt_flags[(unsigned char)optstr[i]] = 1;
while ((opt = getopt(argc, argv, optstr)) != -1) {
unsigned short family;
unsigned int *v6;
switch (opt) {
case 'i':
Reported by FlawFinder.
Line: 76
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sum)
printf("proto %u: sum:%10llu pkts, rate:%10llu pkts/s\n",
proto, sum, sum / STATS_INTERVAL_S);
memcpy(prev[proto], values, sizeof(values));
}
}
}
static void usage(const char *cmd)
Reported by FlawFinder.
Line: 160
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
int min_port = 0, max_port = 0, vip2tnl_map_fd;
const char *optstr = "i:a:p:s:d:m:T:P:FSNh";
unsigned char opt_flags[256] = {};
struct bpf_prog_info info = {};
__u32 info_len = sizeof(info);
unsigned int kill_after_s = 0;
struct iptnl_info tnl = {};
struct bpf_object *obj;
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iptnl_info tnl = {};
struct bpf_object *obj;
struct vip vip = {};
char filename[256];
int opt, prog_fd;
int i, err;
tnl.family = AF_UNSPEC;
vip.protocol = IPPROTO_TCP;
Reported by FlawFinder.
Line: 186
Column: 15
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
case 'i':
ifindex = if_nametoindex(optarg);
if (!ifindex)
ifindex = atoi(optarg);
break;
case 'a':
vip.family = parse_ipstr(optarg, vip.daddr.v6);
if (vip.family == AF_UNSPEC)
return 1;
Reported by FlawFinder.
Line: 198
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
return 1;
break;
case 'P':
vip.protocol = atoi(optarg);
break;
case 's':
case 'd':
if (opt == 's')
v6 = tnl.saddr.v6;
Reported by FlawFinder.
Line: 227
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
break;
case 'T':
kill_after_s = atoi(optarg);
break;
case 'S':
xdp_flags |= XDP_FLAGS_SKB_MODE;
break;
case 'N':
Reported by FlawFinder.
Line: 174
Column: 18
CWE codes:
126
tnl.family = AF_UNSPEC;
vip.protocol = IPPROTO_TCP;
for (i = 0; i < strlen(optstr); i++)
if (optstr[i] != 'h' && 'a' <= optstr[i] && optstr[i] <= 'z')
opt_flags[(unsigned char)optstr[i]] = 1;
while ((opt = getopt(argc, argv, optstr)) != -1) {
unsigned short family;
Reported by FlawFinder.
Line: 248
Column: 18
CWE codes:
126
if (!(xdp_flags & XDP_FLAGS_SKB_MODE))
xdp_flags |= XDP_FLAGS_DRV_MODE;
for (i = 0; i < strlen(optstr); i++) {
if (opt_flags[(unsigned int)optstr[i]]) {
fprintf(stderr, "Missing argument -%c\n", optstr[i]);
usage(argv[0]);
return 1;
}
Reported by FlawFinder.
scripts/genksyms/genksyms.c
9 issues
Line: 684
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
fputs(">\n", debugfile);
/* Used as a linker script. */
printf(!flag_rel_crcs ? "__crc_%s = 0x%08lx;\n" :
"SECTIONS { .rodata : ALIGN(4) { "
"__crc_%s = .; LONG(0x%08lx); } }\n",
name, crc);
}
}
Reported by FlawFinder.
Line: 714
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
print_location();
va_start(args, fmt);
vfprintf(stderr, fmt, args);
va_end(args);
putc('\n', stderr);
errors++;
}
Reported by FlawFinder.
Line: 773
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{0, 0, 0, 0}
};
while ((o = getopt_long(argc, argv, "s:dwqVDr:T:phR",
&long_opts[0], NULL)) != EOF)
#else /* __GNU_LIBRARY__ */
while ((o = getopt(argc, argv, "s:dwqVDr:T:phR")) != EOF)
#endif /* __GNU_LIBRARY__ */
switch (o) {
Reported by FlawFinder.
Line: 776
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
while ((o = getopt_long(argc, argv, "s:dwqVDr:T:phR",
&long_opts[0], NULL)) != EOF)
#else /* __GNU_LIBRARY__ */
while ((o = getopt(argc, argv, "s:dwqVDr:T:phR")) != EOF)
#endif /* __GNU_LIBRARY__ */
switch (o) {
case 'd':
flag_debug++;
break;
Reported by FlawFinder.
Line: 206
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum_counter = 1;
} else {
struct string_list *expr;
char buf[20];
snprintf(buf, sizeof(buf), "%d", enum_counter++);
if (last_enum_expr) {
expr = copy_list_range(last_enum_expr, NULL);
defn = concat_list(mk_node("("),
Reported by FlawFinder.
Line: 410
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct string_list *read_node(FILE *f)
{
char buffer[256];
struct string_list node = {
.string = buffer,
.tag = SYM_NORMAL };
int c, in_string = 0;
Reported by FlawFinder.
Line: 796
Column: 15
CWE codes:
362
break;
case 'r':
flag_reference = 1;
ref_file = fopen(optarg, "r");
if (!ref_file) {
perror(optarg);
return 1;
}
break;
Reported by FlawFinder.
Line: 804
Column: 15
CWE codes:
362
break;
case 'T':
flag_dump_types = 1;
dumpfile = fopen(optarg, "w");
if (!dumpfile) {
perror(optarg);
return 1;
}
break;
Reported by FlawFinder.
Line: 416
Column: 14
CWE codes:
120
20
.tag = SYM_NORMAL };
int c, in_string = 0;
while ((c = fgetc(f)) != EOF) {
if (!in_string && c == ' ') {
if (node.string == buffer)
continue;
break;
} else if (c == '"') {
Reported by FlawFinder.
net/sctp/auth.c
9 issues
Line: 185
Column: 30
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
* are called the two key vectors.
*/
static struct sctp_auth_bytes *sctp_auth_make_key_vector(
struct sctp_random_param *random,
struct sctp_chunks_param *chunks,
struct sctp_hmac_algo_param *hmacs,
gfp_t gfp)
{
struct sctp_auth_bytes *new;
Reported by FlawFinder.
Line: 206
Column: 20
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (!new)
return NULL;
memcpy(new->data, random, random_len);
offset += random_len;
if (chunks) {
memcpy(new->data + offset, chunks, chunks_len);
offset += chunks_len;
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!new)
return NULL;
memcpy(new->data, random, random_len);
offset += random_len;
if (chunks) {
memcpy(new->data + offset, chunks, chunks_len);
offset += chunks_len;
Reported by FlawFinder.
Line: 210
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset += random_len;
if (chunks) {
memcpy(new->data + offset, chunks, chunks_len);
offset += chunks_len;
}
memcpy(new->data + offset, hmacs, hmacs_len);
Reported by FlawFinder.
Line: 214
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset += chunks_len;
}
memcpy(new->data + offset, hmacs, hmacs_len);
return new;
}
Reported by FlawFinder.
Line: 271
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
if (ep_key->key) {
memcpy(secret->data, ep_key->key->data, ep_key->key->len);
offset += ep_key->key->len;
}
memcpy(secret->data + offset, first_vector->data, first_vector->len);
offset += first_vector->len;
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset += ep_key->key->len;
}
memcpy(secret->data + offset, first_vector->data, first_vector->len);
offset += first_vector->len;
memcpy(secret->data + offset, last_vector->data, last_vector->len);
return secret;
Reported by FlawFinder.
Line: 278
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(secret->data + offset, first_vector->data, first_vector->len);
offset += first_vector->len;
memcpy(secret->data + offset, last_vector->data, last_vector->len);
return secret;
}
/* Create an association shared key. Follow the algorithm
Reported by FlawFinder.
Line: 857
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(key->data, &auth_key->sca_key[0], auth_key->sca_keylength);
cur_key->key = key;
if (!replace) {
list_add(&cur_key->key_list, sh_keys);
return 0;
Reported by FlawFinder.
sound/soc/soc-component.c
9 issues
Line: 289
Column: 25
CWE codes:
362
{
int ret = 0;
if (component->driver->open)
ret = component->driver->open(component, substream);
/* mark substream if succeeded */
if (ret == 0)
soc_component_mark_push(component, substream, open);
Reported by FlawFinder.
Line: 290
Column: 28
CWE codes:
362
int ret = 0;
if (component->driver->open)
ret = component->driver->open(component, substream);
/* mark substream if succeeded */
if (ret == 0)
soc_component_mark_push(component, substream, open);
Reported by FlawFinder.
Line: 294
Column: 49
CWE codes:
362
/* mark substream if succeeded */
if (ret == 0)
soc_component_mark_push(component, substream, open);
return soc_component_ret(component, ret);
}
int snd_soc_component_close(struct snd_soc_component *component,
Reported by FlawFinder.
Line: 305
Column: 66
CWE codes:
362
{
int ret = 0;
if (rollback && !soc_component_mark_match(component, substream, open))
return 0;
if (component->driver->close)
ret = component->driver->close(component, substream);
Reported by FlawFinder.
Line: 312
Column: 47
CWE codes:
362
ret = component->driver->close(component, substream);
/* remove marked substream */
soc_component_mark_pop(component, substream, open);
return soc_component_ret(component, ret);
}
void snd_soc_component_suspend(struct snd_soc_component *component)
Reported by FlawFinder.
Line: 436
Column: 40
CWE codes:
362
for_each_rtd_components(rtd, i, component) {
if (component->driver->compress_ops &&
component->driver->compress_ops->open) {
ret = component->driver->compress_ops->open(component, cstream);
if (ret < 0)
return soc_component_ret(component, ret);
}
soc_component_mark_push(component, cstream, compr_open);
Reported by FlawFinder.
Line: 437
Column: 43
CWE codes:
362
for_each_rtd_components(rtd, i, component) {
if (component->driver->compress_ops &&
component->driver->compress_ops->open) {
ret = component->driver->compress_ops->open(component, cstream);
if (ret < 0)
return soc_component_ret(component, ret);
}
soc_component_mark_push(component, cstream, compr_open);
}
Reported by FlawFinder.
Line: 691
Column: 30
CWE codes:
120
20
if (component->regmap)
ret = regmap_read(component->regmap, reg, &val);
else if (component->driver->read) {
ret = 0;
val = component->driver->read(component, reg);
}
else
ret = -EIO;
Reported by FlawFinder.
Line: 693
Column: 28
CWE codes:
120
20
ret = regmap_read(component->regmap, reg, &val);
else if (component->driver->read) {
ret = 0;
val = component->driver->read(component, reg);
}
else
ret = -EIO;
if (ret < 0)
Reported by FlawFinder.
sound/usb/caiaq/device.h
9 issues
Line: 69
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct urb **data_urbs_out;
struct snd_usb_caiaq_cb_info *data_cb_info;
unsigned char ep1_in_buf[EP1_BUFSIZE];
unsigned char ep1_out_buf[EP1_BUFSIZE];
unsigned char midi_out_buf[EP1_BUFSIZE];
struct caiaq_device_spec spec;
spinlock_t spinlock;
Reported by FlawFinder.
Line: 70
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snd_usb_caiaq_cb_info *data_cb_info;
unsigned char ep1_in_buf[EP1_BUFSIZE];
unsigned char ep1_out_buf[EP1_BUFSIZE];
unsigned char midi_out_buf[EP1_BUFSIZE];
struct caiaq_device_spec spec;
spinlock_t spinlock;
wait_queue_head_t ep1_wait_queue;
Reported by FlawFinder.
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ep1_in_buf[EP1_BUFSIZE];
unsigned char ep1_out_buf[EP1_BUFSIZE];
unsigned char midi_out_buf[EP1_BUFSIZE];
struct caiaq_device_spec spec;
spinlock_t spinlock;
wait_queue_head_t ep1_wait_queue;
wait_queue_head_t prepare_wait_queue;
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int spec_received, audio_parm_answer;
int midi_out_active;
char vendor_name[CAIAQ_USB_STR_LEN];
char product_name[CAIAQ_USB_STR_LEN];
int n_streams, n_audio_in, n_audio_out;
int streaming, first_packet, output_running;
int audio_in_buf_pos[MAX_STREAMS];
Reported by FlawFinder.
Line: 81
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int midi_out_active;
char vendor_name[CAIAQ_USB_STR_LEN];
char product_name[CAIAQ_USB_STR_LEN];
int n_streams, n_audio_in, n_audio_out;
int streaming, first_packet, output_running;
int audio_in_buf_pos[MAX_STREAMS];
int audio_out_buf_pos[MAX_STREAMS];
Reported by FlawFinder.
Line: 98
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snd_pcm_substream *sub_capture[MAX_STREAMS];
/* Controls */
unsigned char control_state[256];
unsigned char ep8_out_buf[2];
/* Linux input */
#ifdef CONFIG_SND_USB_CAIAQ_INPUT
struct input_dev *input_dev;
Reported by FlawFinder.
Line: 99
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Controls */
unsigned char control_state[256];
unsigned char ep8_out_buf[2];
/* Linux input */
#ifdef CONFIG_SND_USB_CAIAQ_INPUT
struct input_dev *input_dev;
char phys[64]; /* physical device path */
Reported by FlawFinder.
Line: 104
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Linux input */
#ifdef CONFIG_SND_USB_CAIAQ_INPUT
struct input_dev *input_dev;
char phys[64]; /* physical device path */
unsigned short keycode[128];
struct urb *ep4_in_urb;
unsigned char ep4_in_buf[EP4_BUFSIZE];
#endif
Reported by FlawFinder.
Line: 107
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char phys[64]; /* physical device path */
unsigned short keycode[128];
struct urb *ep4_in_urb;
unsigned char ep4_in_buf[EP4_BUFSIZE];
#endif
/* ALSA */
struct snd_pcm *pcm;
struct snd_pcm_hardware pcm_info;
Reported by FlawFinder.
sound/isa/wavefront/wavefront_midi.c
9 issues
Line: 246
Column: 28
CWE codes:
362
if (!midi)
return -EIO;
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] |= MPU401_MODE_INPUT;
midi->substream_input[mpu] = substream;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
Reported by FlawFinder.
Line: 249
Column: 33
CWE codes:
362
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] |= MPU401_MODE_INPUT;
midi->substream_input[mpu] = substream;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_output_open(struct snd_rawmidi_substream *substream)
Reported by FlawFinder.
Line: 271
Column: 28
CWE codes:
362
if (!midi)
return -EIO;
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] |= MPU401_MODE_OUTPUT;
midi->substream_output[mpu] = substream;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
Reported by FlawFinder.
Line: 274
Column: 33
CWE codes:
362
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] |= MPU401_MODE_OUTPUT;
midi->substream_output[mpu] = substream;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_input_close(struct snd_rawmidi_substream *substream)
Reported by FlawFinder.
Line: 296
Column: 28
CWE codes:
362
if (!midi)
return -EIO;
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] &= ~MPU401_MODE_INPUT;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
Reported by FlawFinder.
Line: 298
Column: 33
CWE codes:
362
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] &= ~MPU401_MODE_INPUT;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_output_close(struct snd_rawmidi_substream *substream)
Reported by FlawFinder.
Line: 320
Column: 28
CWE codes:
362
if (!midi)
return -EIO;
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
Reported by FlawFinder.
Line: 322
Column: 33
CWE codes:
362
spin_lock_irqsave (&midi->open, flags);
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static void snd_wavefront_midi_input_trigger(struct snd_rawmidi_substream *substream, int up)
{
Reported by FlawFinder.
Line: 488
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ok, i;
unsigned char rbuf[4], wbuf[4];
snd_wavefront_t *dev;
snd_wavefront_midi_t *midi;
dev = &card->wavefront;
midi = &dev->midi;
Reported by FlawFinder.
sound/core/control_compat.c
9 issues
Line: 53
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct snd_ctl_elem_info32 {
struct snd_ctl_elem_id id; // the size of struct is same
s32 type;
u32 access;
u32 count;
s32 owner;
union {
struct {
s32 min;
Reported by FlawFinder.
Line: 19
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 used;
u32 count;
u32 pids;
unsigned char reserved[50];
} /* don't set packed attribute here */;
static int snd_ctl_elem_list_compat(struct snd_card *card,
struct snd_ctl_elem_list32 __user *data32)
{
Reported by FlawFinder.
Line: 70
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
u32 items;
u32 item;
char name[64];
u64 names_ptr;
u32 names_length;
} enumerated;
unsigned char reserved[128];
} value;
Reported by FlawFinder.
Line: 74
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 names_ptr;
u32 names_length;
} enumerated;
unsigned char reserved[128];
} value;
unsigned char reserved[64];
} __attribute__((packed));
static int snd_ctl_elem_info_compat(struct snd_ctl_file *ctl,
Reported by FlawFinder.
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} enumerated;
unsigned char reserved[128];
} value;
unsigned char reserved[64];
} __attribute__((packed));
static int snd_ctl_elem_info_compat(struct snd_ctl_file *ctl,
struct snd_ctl_elem_info32 __user *data32)
{
Reported by FlawFinder.
Line: 145
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int indirect; /* bit-field causes misalignment */
union {
s32 integer[128];
unsigned char data[512];
#ifndef CONFIG_X86_64
s64 integer64[64];
#endif
} value;
unsigned char reserved[128];
Reported by FlawFinder.
Line: 150
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
s64 integer64[64];
#endif
} value;
unsigned char reserved[128];
};
#ifdef CONFIG_X86_X32
/* x32 has a different alignment for 64bit values from ia32 */
struct snd_ctl_elem_value_x32 {
Reported by FlawFinder.
Line: 160
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int indirect; /* bit-field causes misalignment */
union {
s32 integer[128];
unsigned char data[512];
s64 integer64[64];
} value;
unsigned char reserved[128];
};
#endif /* CONFIG_X86_X32 */
Reported by FlawFinder.
Line: 163
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char data[512];
s64 integer64[64];
} value;
unsigned char reserved[128];
};
#endif /* CONFIG_X86_X32 */
/* get the value type and count of the control */
static int get_ctl_type(struct snd_card *card, struct snd_ctl_elem_id *id,
Reported by FlawFinder.
sound/drivers/mts64.c
9 issues
Line: 766
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return err;
rmidi->private_data = mts;
strcpy(rmidi->name, CARD_NAME);
rmidi->info_flags = SNDRV_RAWMIDI_INFO_OUTPUT |
SNDRV_RAWMIDI_INFO_INPUT |
SNDRV_RAWMIDI_INFO_DUPLEX;
mts->rmidi = rmidi;
Reported by FlawFinder.
Line: 930
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
snd_printd("Cannot create card\n");
return err;
}
strcpy(card->driver, DRIVER_NAME);
strcpy(card->shortname, "ESI " CARD_NAME);
sprintf(card->longname, "%s at 0x%lx, irq %i",
card->shortname, p->base, p->irq);
mts64_cb.private = card; /* private */
Reported by FlawFinder.
Line: 931
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return err;
}
strcpy(card->driver, DRIVER_NAME);
strcpy(card->shortname, "ESI " CARD_NAME);
sprintf(card->longname, "%s at 0x%lx, irq %i",
card->shortname, p->base, p->irq);
mts64_cb.private = card; /* private */
pardev = parport_register_dev_model(p, /* port */
Reported by FlawFinder.
Line: 932
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
strcpy(card->driver, DRIVER_NAME);
strcpy(card->shortname, "ESI " CARD_NAME);
sprintf(card->longname, "%s at 0x%lx, irq %i",
card->shortname, p->base, p->irq);
mts64_cb.private = card; /* private */
pardev = parport_register_dev_model(p, /* port */
DRIVER_NAME, /* name */
Reported by FlawFinder.
Line: 24
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define PLATFORM_DRIVER "snd_mts64"
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX;
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR;
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP;
static struct platform_device *platform_devices[SNDRV_CARDS];
static int device_count;
Reported by FlawFinder.
Line: 590
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int snd_mts64_ctl_smpte_fps_info(struct snd_kcontrol *kctl,
struct snd_ctl_elem_info *uinfo)
{
static const char * const texts[5] = {
"24", "25", "29.97", "30D", "30"
};
return snd_ctl_enum_info(uinfo, 1, 5, texts);
}
Reported by FlawFinder.
Line: 784
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
list_for_each(list,
&rmidi->streams[SNDRV_RAWMIDI_STREAM_OUTPUT].substreams) {
substream = list_entry(list, struct snd_rawmidi_substream, list);
sprintf(substream->name,
"Miditerminal %d", substream->number+1);
}
/* input */
list_for_each(list,
&rmidi->streams[SNDRV_RAWMIDI_STREAM_INPUT].substreams) {
Reported by FlawFinder.
Line: 794
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
mts->midi_input_substream[substream->number] = substream;
switch(substream->number) {
case MTS64_SMPTE_SUBSTREAM:
strcpy(substream->name, "Miditerminal SMPTE");
break;
default:
sprintf(substream->name,
"Miditerminal %d", substream->number+1);
}
Reported by FlawFinder.
Line: 797
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strcpy(substream->name, "Miditerminal SMPTE");
break;
default:
sprintf(substream->name,
"Miditerminal %d", substream->number+1);
}
}
/* controls */
Reported by FlawFinder.
samples/bpf/test_cgrp2_sock.c
9 issues
Line: 213
Column: 15
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int do_attach = 1;
int rc;
while ((rc = getopt(argc, argv, "db:m:p:6")) != -1) {
switch (rc) {
case 'd':
do_attach = 0;
break;
case 'b':
Reported by FlawFinder.
Line: 28
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "bpf_insn.h"
char bpf_log_buf[BPF_LOG_BUF_SIZE];
static int prog_load(__u32 idx, __u32 mark, __u32 prio)
{
/* save pointer to context */
struct bpf_insn prog_start[] = {
Reported by FlawFinder.
Line: 95
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return EXIT_FAILURE;
}
memcpy(p, prog_start, sizeof(prog_start));
p += sizeof(prog_start);
if (idx) {
memcpy(p, prog_dev, sizeof(prog_dev));
p += sizeof(prog_dev);
Reported by FlawFinder.
Line: 99
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += sizeof(prog_start);
if (idx) {
memcpy(p, prog_dev, sizeof(prog_dev));
p += sizeof(prog_dev);
}
if (mark) {
memcpy(p, prog_mark, sizeof(prog_mark));
Reported by FlawFinder.
Line: 104
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (mark) {
memcpy(p, prog_mark, sizeof(prog_mark));
p += sizeof(prog_mark);
}
if (prio) {
memcpy(p, prog_prio, sizeof(prog_prio));
Reported by FlawFinder.
Line: 109
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (prio) {
memcpy(p, prog_prio, sizeof(prog_prio));
p += sizeof(prog_prio);
}
memcpy(p, prog_end, sizeof(prog_end));
p += sizeof(prog_end);
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += sizeof(prog_prio);
}
memcpy(p, prog_end, sizeof(prog_end));
p += sizeof(prog_end);
insns_cnt /= sizeof(struct bpf_insn);
ret = bpf_load_program(BPF_PROG_TYPE_CGROUP_SOCK, prog, insns_cnt,
Reported by FlawFinder.
Line: 168
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int show_sockopts(int family)
{
unsigned int mark, prio;
char name[16];
int sd;
sd = socket(family, SOCK_DGRAM, 17);
if (sd < 0) {
perror("socket");
Reported by FlawFinder.
Line: 257
Column: 10
CWE codes:
362
return EXIT_FAILURE;
}
cg_fd = open(cgrp_path, O_DIRECTORY | O_RDONLY);
if (cg_fd < 0) {
printf("Failed to open cgroup path: '%s'\n", strerror(errno));
return EXIT_FAILURE;
}
Reported by FlawFinder.